Managing a password

ABSTRACT

A computer implemented method for managing a password is disclosed. The method can include generating a first hash value corresponding to a first password. The method can also include determining whether the first hash value corresponds with a second hash value included in the set of hash values. Further, the method can include suppressing storage of the first password in the set of passwords in response to determining that the first hash value corresponds with a second hash value included in the set of hash values.

BACKGROUND

The present disclosure relates to computer systems, and morespecifically, to computer systems for managing a password.

Passwords are a widely used method of authentication used by computersand networks. A single user may use many passwords to access differentpassword protected domains, or access password protected content. As theuse of passwords for authentication increases, the need for managingpasswords may also increase.

SUMMARY

Aspects of the present disclosure, in certain embodiments, are directedtoward a computer implemented method for managing a password. In certainembodiments, the method can include generating a first hash valuecorresponding to the first password. The first hash value can begenerated by a secure hash algorithm. The method can include comparingthe first hash value to the set of hash values. The method can alsoinclude determining whether the first hash value corresponds with asecond hash value included in the set of hash values. Further, themethod can include suppressing storage of the first password in the setof passwords in response to determining that the first hash valuecorresponds with a second hash value included in the set of hash values.

Aspects of the present disclosure, in certain embodiments, are directedtoward a computer implemented method for managing a password. The methodcan include determining, in response to receiving a firs password, thatthe first password is not stored in a set of passwords. The method canfurther include generating, in response to determining that the firstpassword is not stored, a first hash value corresponding to the firstpassword. In certain embodiments, the method can include comparing thefirst hash value to a set of hash values. Further, the method can alsoinclude storing, the first hash value in the set of hash values inresponse to determining that the first hash value is not included in theset of hash values.

Aspects of the present disclosure, in certain embodiments, are directedtoward a system for managing a password. In certain embodiments, thesystem can include a determining module configured to determine, inresponse to receiving a first password, that the first password is notstored in a set of passwords. The system can also include a generatingmodule configured to generate a first hash value corresponding to thefirst password. In certain embodiments, generating the first hash valuecorresponding to the first password can be performed in response todetermining that the first password is not stored. The system caninclude a comparing module configured to compare the first hash value toa set of hash values. In certain embodiments, the system can include astoring module configured to store the first hash value in the set ofhash values in response to determining that the first hash value is notincluded in the set of hash values.

The above summary is not intended to describe each illustratedembodiment or every implementation of the present disclosure.

BRIEF DESCRIPTION OF THE DRAWINGS

The drawings included in the present application are incorporated into,and form part of, the specification. They illustrate embodiments of thepresent disclosure and, along with the description, serve to explain theprinciples of the disclosure. The drawings are only illustrative ofcertain embodiments and do not limit the disclosure.

FIG. 1 is a diagrammatic illustration of an exemplary computingenvironment, according to embodiments;

FIG. 2 illustrates an example network architecture for a system formanaging a password, according to embodiments;

FIG. 3 is a flowchart illustrating a method for managing a password,according to embodiments;

FIG. 4 illustrates modules of a system for managing a password,according to embodiments; and

FIG. 5 is a flowchart illustrating a method for managing a password.

While the invention is amenable to various modifications and alternativeforms, specifics thereof have been shown by way of example in thedrawings and will be described in detail. It should be understood,however, that the intention is not to limit the invention to theparticular embodiments described. On the contrary, the intention is tocover all modifications, equivalents, and alternatives falling withinthe spirit and scope of the invention.

DETAILED DESCRIPTION

Aspects of the present disclosure relate to various embodiments of asystem and methodology for managing a password. More particular aspectsrelate to storing a hash value corresponding to a first password. Themethodology may include determining, in response to receiving a firstpassword, whether the first password is to be stored in a set ofpasswords. The methodology may include generating, in response todetermining that the first password is not to be stored, a first hashvalue corresponding to the first password. The methodology may furtherinclude comparing the first hash value to a set of hash values.Additionally, the method may include storing the first hash value in theset of hash values. Storing the first hash value in the set of hashvalues may be performed in response to determining that the first hashvalue is not stored in the set of hash values.

Passwords are a widely used method of authentication used by computersand networks. A single user can use tens or even hundreds of passwordsto access various password-protected domains or password protectedcontent. As a result, password management has become a burden for users,who can suffer inconvenience, data loss, or other setbacks in the eventthat a password is lost. Various software password managers have beendeveloped to ease this burden. For example, some internet browsers andother programs monitor passwords as they are entered by a user, andoffer to “remember” (e.g., save, or store) the password. When a usernext visits the same domain, the internet browser or program can enterthe password automatically. Comparable systems can be used for computerboot sequences, operating system log-in, and other passwords requiredfor secure computer operation. However, in certain situations, a usermay make use of multiple passwords for different purposes within thesame domain or program. In other situations, multiple users may work ina shared environment, where each user has a different password. In suchsituations, remembering a particular password could have negativeimpacts on security, and be unsafe/undesirable to store, while it may beacceptable to store one or more other passwords. Therefore, storing apassword based on the domain or program module may not offer asufficient solution. Accordingly, aspects of the present disclosurerelate to a method and system that facilitates storing of a passwordbased on the password itself. Aspects of the present disclosure aredirected toward storing a hash value corresponding to a first password(e.g., a particular password that should not be remembered), andrecognizing subsequent entries of the first password so as to avoidundesirable storage of the first password. The present disclosure mayprovide benefits associated with password management efficiency andpassword security.

As described herein, aspects of the present disclosure are directedtoward recognizing that a first password (e.g., a particular passwordthat should not be stored) has been entered, and suppressing a dialogmenu offering storage of the first password. More particular aspects aredirected toward generating a first hash value corresponding to the firstpassword, and comparing the first hash value to a set of hash values.Each hash value of the set of hash values may, for example, correspondto a password that should not be stored. Additional aspects are directedtoward deciding that the first hash value corresponds to a second hashvalue stored in the set of hash values, and suppressing storage of thefirst hash value in the set of hash values. In certain embodiments,additional hash values can be added to the set of hash values. Forexample, they may be added by a user, or they may be addedprogrammatically. Further aspects of the present disclosure are alsodirected toward removing a hash value from the set of hash values.

Aspects of the present disclosure include a method and system formanaging a password. More particular aspects relate to storing a hashvalue corresponding to a first password. The method and system may workon a number of devices and operating systems. Aspects of the presentdisclosure include determining, in response to receiving a firstpassword, whether the first password is to be stored in a set ofpasswords. The first password may, for example, be entered by a userinto a dialog menu. The first password may be an arbitrary-lengthcharacter string. Determining that the first password is not stored inthe set of passwords can include comparing the first password to the setof passwords. The set of passwords may be stored, for example, in theconfiguration of an internet browser.

Aspects of the present disclosure can include generating, in response todetermining that the first password is not to be stored, a first hashvalue corresponding to the first password. The first hash value may begenerated by a secure hash algorithm configured to map a data input to anon-invertible data output. The data input may be an arbitrary-lengthstring of characters, and the data output may be a fixed-length numericstring.

Aspects of the present disclosure include comparing the first hash valueto a set of hash values. The set of hash values may be associated withthe configuration of an internet browser. For example, the hash valuesmay be stored in an internet browser. Each hash value of the set of hashvalues may correspond with a password. Aspects of the present disclosureinclude storing the first hash value in the set of hash values. Storingthe first hash value in the set of hash values can be performed inresponse to determining that the first hash value is not included in theset of hash values.

Additional aspects of the present disclosure are directed towardcomparing, in response to storing the first hash value in the set ofhash values, a second hash value to the set of hash values. Further, themethod can include suppressing, in response to determining that thesecond hash value corresponds with a hash value included in the set ofhash values, a dialog menu for storing the first password in a set ofpasswords. Additional aspects of the present disclosure are directedtoward receiving a password delete request. In response to receiving thepassword delete request, the method can include generating a first hashvalue corresponding to the first password. Further, the method caninclude deleting, from a set of hash values, a second hash valuecorresponding to the first hash value.

Turning now to the figures, FIG. 1 is a diagrammatic illustration of anexample computing environment, consistent with embodiments of thepresent disclosure. Specifically, the environment 100 can include one ormore client devices 102, 104, 106 and one or more host devices 110, 112,114. Client devices 102, 104, 106 and host devices 110, 112, 114 may beremote from each other and communicate over a network 108 in which thehost devices 110, 112, 114 comprise a central hub from which clientdevices 102, 104, 106 can establish a communication connection.Alternatively, the host devices and client devices may be configured inany other suitable relationship (e.g., in a peer-to-peer or otherrelationship).

The network 100 can be implemented by any number of any suitablecommunications media (e.g., wide area network (WAN), local area network(LAN), Internet, Intranet, etc.). Alternatively, client 102, 104, 106and host devices 110, 112, 114 may be local to each other, andcommunicate via any appropriate local communication medium (e.g., localarea network (LAN), hardwire, wireless link, Intranet, etc.).

Client device 102 can include a password management application 103. Thepassword management application 103 can facilitate determining if apassword is stored in a set of passwords, generating a hash valuecorresponding to a password, comparing the hash value to a set of hashvalues, and storing a hash value in a set of hash values. The passwordmanagement application 103 can be configured to access one or moredatabases or other computer systems to access a password protecteddomain or password protected content.

Host devices 110, 112, 114 can enable users to submit requests (e.g.,login requests or content access requests) to host devices 110, 112, 114for authentication. For example, the client devices 102,104, 106 mayinclude a login module (e.g., in the form of a web browser or any othersuitable software module) and present a graphical user interface (e.g.,GUI, etc.) or other interface (e.g., command line prompts, menu screens,etc.) to receive authentication requests/login requests/content accessrequests from users for submission to one or more host devices 110, 112,114. The host devices may then grant or deny the authenticationrequests/login requests/content access requests.

In certain embodiments, one or more host devices 110, 112, 114 mayinclude one or more databases 116. For example, the database 116 may, incertain embodiments, include protected content that requires passwordauthentication to access. In certain embodiments, the database 116 mayinclude stored passwords, user names, or other content accessible by theclient devices 102, 104, 106.

Client devices 102, 104, 106 and host devices 110, 112, 114 may beimplemented by a suitable computer system. The computer systems may beequipped with a display or monitor, a base, where the base includes atleast one processor, memory and/or internal or external networkinterface or communications devices (e.g., modem, network cards, etc.),optional input devices (e.g., a keyboard, mouse, or other input device),and any commercially available and custom software (e.g., browsersoftware, communications software, server software, natural languageprocessing software, search engine and/or web crawling software, filtermodules for filtering content based upon predefined criteria, etc.). Thecomputer systems may include server, desktop, laptop, and hand-helddevices. For example, the computer systems may include tablets, cellphones, smart phones, personal digital assistants, or other mobiledevices. The computer systems may include one or more modules or unitsto perform the various functions of present disclosure embodimentsdescribed below (e.g., determining that a first password is not storedin a set of passwords, generating a hash value corresponding to thefirst password, comparing the first hash value to the set of hashvalues, storing the first hash value, etc.), and may be implemented byany combination of any quantity of software and/or hardware modules orunits.

FIG. 2 illustrates an example network architecture 200 for a system formanaging a password, consistent with embodiments of the presentdisclosure. Aspects of FIG. 2 are directed toward a network architecture200 that facilitates the implementation of an application for managing apassword. Consistent with various embodiments, the network architecture200 can include one or more host devices 228, 244 and a client device204 communicatively connected via a network 108. The host device 228 caninclude plaintext login data 240 and encrypted login data 242. As anexample, in certain embodiments, the plaintext login data 240 caninclude stored passwords and usernames. The encrypted login data 242can, for example, contain hash values generated by a secure hashfunction. The host device 244 can include protected content 256. Theplaintext login data 240, encrypted login data 242, and protectedcontent 256 can be configured to be accessible by the client device 204in response to an input request.

As shown in FIG. 2, the client device 204, host device 228, and hostdevice 244 can include a network interface device 227, 243, 258, a BIOS(basic input-output system) 206, 230, 246, an operating system 208, 232,248, one or more processors or processing units 210, 234, 250, a systemmemory 212, 236, 252 and some form of computer-readable media 214, 238,254. The network interface device 227, 243, 258 can facilitatecommunication between the client device 204, host device 228, hostdevice 244, and the network 202. In certain embodiments, the variouscomponents of the client device 204, host device 228, and host device244 respectively can be coupled together by a system bus.

As shown in FIG. 2, the client device 204, host device 228, and hostdevice 244 can include one or more forms of computer-readable media 214,238, 254. For example, computer-readable media can include storagemedia, such as random-access memory (RAM), read-only memory (ROM),electrically erasable programmable read-only memory (EEPROM), flashmemory, hard disks, optical disk storage, or other mediums that can beused to store information that can be accessed by the client device 204,host device 228, and host device 244, respectively. Additionally,computer-readable media can include communication media, such ascomputer-readable instructions, data structures, and program modules.Wired media, such as a wired network or a direct-wired connection, andwireless media, such as acoustic, radio frequency, infrared, and otherwireless media are further examples of communication media. Combinationsof the above are also included within the scope of computer-readablemedia.

In certain embodiments, the client device 204, host device 228, and hostdevice 244 can include a BIOS 206, 230, 246 and an operating system 208,232, 248 accessible by the system memory 212, 236, 252. The BIOS 206,230, 246 and the operating system 208, 232, 248 can facilitate thetransfer of information between elements within the client device 204,host device 228, and host device 244, respectively as well as theimplementation of application programs and other program modules. A userinterface can also be linked to the client device 204 that allows a userto interact with the application programs and program modules of theclient device 204. For example, the user interface can include a display224 such as a computer monitor, and an input device 226 such as akeyboard, a touch screen, or a pointing device (e.g., a mouse,trackball, pen, or touch pad.)

Consistent with various embodiments, the client device 204 can include apassword management application 216. The password management application216 can be executable by the client device 204, and can be responsive touser input data for initiating a login request to access a passwordprotected domain or password protected content, such as protectedcontent 256 of host device 254. In certain embodiments, the passwordmanagement application 216 can be configured to communicate with hostdevice 228 and access plaintext login data 240 or encrypted login data240. In certain embodiments, the password management application 216 canbe configured to communicate with host device 244 and access protectedcontent 256 after password authentication.

Consistent with various embodiments, the password management application216 can include a login dialog 218. The login dialog can be associatedwith an internet web browser, software application, or other programmodule. The login dialog can be configured to prompt a user for ausername and password entry in response to a request for accessingpassword protected content, such as protected content 256 of host device244. For example, the login dialog 218 may be initiated by an internetwebpage that allows users to log into a personal account.

In certain embodiments, the password management application 216 caninclude a password controller 220. The password controller 220 mayfacilitate storage and management of username and password data.Consistent with various embodiments of the present disclosure, thepassword controller 220 can be configured to receive a first passwordentry from a user. The password controller 220 can compare the receivedfirst password entry with a set of stored passwords. The set of storedpasswords may, for instance, be stored within the plaintext login data240 of host device 228. If the first password is not located within thelist of stored passwords, the password controller 220 can generate afirst hash value corresponding to the first password. Additionally, thepassword controller 220 can compare the first hash value to a set ofhash values. The set of hash values may, for instance, be stored withinthe encrypted login data 242 of host device 228. In response todetermining that the first hash value is not located in the encryptedlogin data 242, the password controller 220 can store the first hashvalue in the set of hash values.

FIG. 3 is a flowchart illustrating a method 300 for managing a password,consistent with embodiments of the present disclosure. Aspects of FIG. 3are directed toward storing a hash value corresponding to a firstpassword. The method 300 may begin at block 302 and end at block 312.Consistent with various embodiments, the method can include adetermining block 304, a generating block 306, a comparing block 308,and a storing block 312.

Aspects of the present disclosure relate to the recognition that, incertain embodiments, it may not be desirable to store a password forlater use. For example, multiple users may work in a shared environment,where remembering a password could have negative impacts on security.Accordingly, aspects of the present disclosure relate to a method andsystem that facilitates storing of a password based on the passworditself. Aspects of the present disclosure are directed toward storing ahash value corresponding to a first password (e.g., a particularpassword that should not be remembered), and recognizing subsequententries of the first password so as to avoid undesirable storage of thefirst password. Consistent with various embodiments, in response toreceiving a first password from a user (e.g., via a login dialog menu),the method 300 can include presenting the user with a dialog menuincluding options regarding the decision to store the first password.Consistent with various embodiments, the dialog menu may include anoption such as “Never store for this password.” The following discussionrelates to a method facilitating storing of a first hash valuecorresponding to a first password for which storage is undesirable.

Consistent with various embodiments, at block 304 the method 300 caninclude determining, in response to receiving a first password, that thefirst password is not stored in a set of passwords. The first passwordmay be received in a password login dialog menu, such as that of a webpage, computer boot sequence, operating system login sequence, or otherprogram module associated with password protected content or a passwordprotected domain. The first password may be input by a user. As shown inFIG. 3, the method 300 can include determining that the first passwordis not stored in a set of saved passwords. The set of saved passwordsmay include one or more passwords that have been designated for storageand later use (e.g., for logging into a computer, password protecteddomain, account, service, etc.). In certain embodiments, the set ofpasswords may be stored locally. For example, the set of passwords couldbe stored within the configuration of an internet browser, or on astorage medium. In certain embodiments, the set of passwords may bestored remotely. For example, the set of passwords may be stored on ahost device (such as host device 228 of FIG. 2) accessible over anetwork (such as network 202 of FIG. 2) by the device on which method300 is implemented.

In certain embodiments, determining that the first password is notstored in the set of passwords can include comparing the first passwordto the set of passwords. More particularly, comparing the first passwordto the set of passwords can include aligning the first password witheach password of the set of passwords, and verifying that the firstpassword does not match a password of the set of passwords.

Consistent with various embodiments, at block 306 the method 300 caninclude generating, in response to determining that the first passwordis not stored, a first hash value corresponding to the first password.In certain embodiments, the first hash value corresponding to the firstpassword can be generated using a secure hash algorithm. The secure hashalgorithm can be configured to map the first password to a fixed-lengthbit string. In certain embodiments, the first password cannot berecovered from the bit string. Put differently, the first hash valuecannot be converted back to the first password. As an example, an eightcharacter alphanumeric password (e.g., passw0rd) could be converted intoa sixteen digit numerical hash value (e.g., 1234 5678 1234 5678). Whilethe original password cannot be retrieved from the corresponding hashvalue, subsequent entries of the same password (e.g., passw0rd) into thesame secure hash algorithm would yield the same sixteen digit hash value(1234 5678 1234 5678). As an example, in certain embodiments, the securehash algorithm could be selected from a list of cryptographic hashfunctions. For instance, in certain embodiments, the secure hashalgorithm could be the SHA-3 algorithm. Other types of cryptographichash functions, algorithms, or methods of encrypting the first passwordare also possible.

Consistent with various embodiments, at block 308 the method 300 caninclude comparing the first hash value to a set of hash values. The setof hash values may include one or more hash values that each correspondto a password for which storage may be undesirable. In certainembodiments, the set of hash values may be stored locally. For example,the set of hash values could be stored within the configuration of aninternet browser, or on a storage medium. In certain embodiments, theset of hash values may be stored remotely. For example, the set of hashvalues may be stored on a host device (such as host device 228 of FIG.2) accessible over a network (such as network 202 of FIG. 2) by thedevice on which method 300 is implemented.

In certain embodiments, determining that the first hash value is notstored in the set of hash values can include comparing the firstpassword to the set of hash values. More particularly, comparing thefirst hash value to the set of hash values can include aligning thefirst hash value with each hash value of the set of hash values, andverifying that the first hash value does not match a hash value of theset of hash values.

Consistent with various embodiments, at block 310 the method 300 caninclude storing the first hash value. In certain embodiments, storingthe first hash value can be performed in response to determining thatthe first hash value is not included in the set of hash values. Further,in certain embodiments, storing the first hash value can include addingthe first hash value to the set of hash values. As described herein, theset of hash values may be stored locally (e.g., in the configuration ofa web browser or on a storage medium) or remotely (e.g., in theencrypted login data 242 of host device 228 of FIG. 2).

Aspects of the present disclosure relate to the recognition that, incertain situations, after storing the first hash value in the set ofhash values, the method 300 may receive subsequent entry of the firstpassword. For example, a user may log into a password protected domainor submit a request for access to password protected content afterhaving indicated that the first password is not to be stored (e.g., themethod 300 has stored a first hash value corresponding to the firstpassword). Accordingly, aspects of the present disclosure are directedtoward recognizing that a hash value corresponding to the first passwordhas already been stored, and suppressing the option to store the firstpassword.

Consistent with various embodiments, the method 300 can further includecomparing a second hash value to the set of hash values. In certainembodiments, the second hash value may correspond to a password enteredby a user. In certain embodiments, comparing the second hash value tothe set of hash values can be performed in response to storing the firsthash value in the set of hash values. In certain embodiments, the secondhash value may be the same as the first hash value. Comparing the secondhash value to the set of hash values can include aligning the secondhash value with each hash value of the set of hash values, respectively,and determining whether the second hash value matches another hash valuein the set of hash values. Further, in response to determining that thesecond hash value corresponds (e.g., matches) with a hash value includedin the set of hash values, the method 300 can include suppressing adialog menu for storing the first password in a set of passwords.

For instance, a user may use a password of “qwerty” to log into an emailaccount, and the user may have indicated (on a previous login session)that the password of “qwerty” should not be stored. Accordingly, a hashvalue (such as 1928 3847 5647 3829) could be generated for the passwordof “qwerty,” and stored in the set of hash values. When the usersubsequently wishes to log into the email account and enters thepassword of “qwerty,” the method 300 can generate a hash value for thepassword (such as 1928 3847 5647 3829). The method 300 can then comparethis hash value to the set of hash values. In response to finding thehash value 1928 3847 5647 3829 already stored in the set of hash values,the method 300 can suppress the dialog menu for offering storage of thefirst password in the set of passwords.

Aspects of the present disclosure relate to the recognition that, incertain embodiments, it may be desirable to store a password that hadbeen previously designated as undesirable for storage. Accordingly,aspects of the present disclosure are directed toward a system andmethod for deleting a particular hash value from the set of hash values,and thereby allowing storage of a password corresponding to thatparticular hash value. Consistent with various embodiments, the method300 can include receiving a password delete request. The password deleterequest may, for example, be received from a user, and initiated via asetting within the configuration of a web browser or other programmodule. The method 300 can include generating, in response to receivinga first password, a first hash value corresponding to the firstpassword. As an example, in certain embodiments, the method 300 caninclude providing the user with a dialog menu prompting them to enterthe password they wish to delete. Generating the first hash valuecorresponding to the first password can, in certain embodiments, includeusing a secure hash algorithm. In certain embodiments, the secure hashalgorithm can be the same hash algorithm as that used at block 306 ofmethod 300 to generate the first hash value. Further, the method 300 caninclude deleting from the set of hash values a second hash valuecorresponding to the first hash value. For example, the second hashvalue may match (e.g., be identical) to the first hash value. In certainembodiments, deleting the second hash value can include removing thesecond hash value from the set of hash values.

For instance, a password that a user has previously designated asundesirable for storage (such as a password of “qwerty”) may becomeacceptable for storage. In such a situation, a user could submit arequest (e.g., via a dialog menu) to make the password allowable forstorage. The request could prompt the user to enter the password he orshe wishes to make allowable for storage. The user can enter thepassword of “qwerty,” into the dialog menu, and the method 300 cangenerate a hash value (such as 1928 3847 5647 3829) for the password.The method 300 can then compare the hash value of 1928 3847 5647 3829 toa set of hash values, and delete a hash value matching 1928 3847 56473829. Accordingly, the password of “qwerty” could thereafter be storedin a set of passwords.

As a practical example of method 300, in certain embodiments, a user mayenter a first password to log into a first account of an email service.The user may have several email accounts hosted by the email service,and different passwords for each account. The first password may beundesirable to store for later use, while the passwords for the otheremail accounts may be acceptable to store for later use. Accordingly,consistent with aspects of the present disclosure, the method 300 caninclude providing the user with a dialog menu in which he or she canindicate his or her wish to not store the first password. For the casein which the user decides not to store the first password, the method300 can include determining that the first password is not stored in aset of passwords. The set of passwords may, for instance, includepasswords that the user has stored. In response to determining that thefirst password is not stored in the set of passwords, the method 300 caninclude generating a first hash value corresponding to the firstpassword. The method 300 can then compare the first hash value to a setof stored hash values. Each hash value of the set of stored hash valuesmay, for example, correspond to a password for which storage isundesirable. In response to determining that the first hash value is notincluded in the set of hash values, the method 300 can include storingthe first hash value in the set of hash values.

Consistent with various embodiments, when the user logs into the firstaccount on subsequent occasions, the method 300 can recognize that afirst hash value corresponding to the first password has already beenstored in the set of hash values, and suppress the dialog menu offeringstorage for the first password. Additionally, in the event that the userwishes to delete the first hash value (thereby making the first passwordavailable for storage), the method 300 can include providing the user adialog menu (e.g., accessible via the settings menu of a web browser orother program) in which the user can enter the first password. Themethod 300 can then generate a first hash value corresponding to thefirst password, and delete a second hash value identical to the firsthash value from the set of stored hash values.

FIG. 4 illustrates modules of a system for managing a password,consistent with embodiments of the present disclosure. Consistent withvarious embodiments, method 300 can be implemented using one or moremodules of FIG. 4. These modules can be implemented on hardware,software, or firmware executable on hardware, or a combination thereof.For example, these modules may be implemented on an exemplary computersystem 400.

The computer system 400 can include a managing module 402. The managingmodule 402 can be configured to manage a password. The managing module402 can include a determining module 404, a matching module 406, agenerating module 408, a secure hash algorithm module 410, a comparingmodule 412, a storing module 414, a configuration module 416, acorrelating module 418, a suppressing module 420, a receiving module422, a creating module 424, and a deleting module 426.

The determining module 404 can be configured to determine, in responseto receiving a first password, that the first password is not stored ina set of passwords. The first password may, for example, be entered by auser into a dialog menu. The first password may be an arbitrary-lengthcharacter string. Determining that the first password is not stored inthe set of passwords can include using a matching module 406 configuredto compare the first password to the set of passwords. The set ofpasswords may be stored, for example, in the configuration of aninternet browser. The configuration module 416 can be configured tomanage the set of passwords.

The generating module 408 can be configured to generate, in response todetermining that the first password is not stored, a first hash valuecorresponding to the first password. The first hash value may begenerated by a secure hash algorithm module 410 configured to map a datainput to a non-invertible data output. The data input may be anarbitrary-length string of characters, and the data output may be afixed-length numeric string.

The comparing module 412 can be configured to compare the first hashvalue to a set of hash values. The set of hash values may be associatedwith the configuration of an internet browser. The configuration module416 can be configured to manage the set of hash values. In certainembodiments, each hash value of the set of hash values may correspondwith a password. The storing module 414 can be configured to store thefirst hash value in the set of hash values. Storing the first hash valuein the set of hash values can be performed in response to determiningthat the first hash value is not included in the set of hash values.

The correlating module 418 can be configured to compare, in response tostoring the first hash value in the set of hash values, a second hashvalue to the set of hash values. Further, the suppressing module 420 canbe configured to suppress, in response to determining that the secondhash value corresponds with a hash value included in the set of hashvalues, a dialog menu for storing the first password in a set ofpasswords. Additional aspects of the present disclosure are directedtoward receiving a password delete request. The receiving module 422 canbe configured to receive the password delete request. In response toreceiving the password delete request, the creating module 424 can beconfigured to generate a first hash value corresponding to the firstpassword. Further, the deleting module 426 can be configured to delete,from a set of hash values, a second hash value corresponding to thefirst hash value.

FIG. 5 is a flowchart illustrating a method 500 for managing a password,consistent with embodiments of the present disclosure. Aspects of FIG. 5are directed toward suppressing storage of a first password in the setof passwords. The method 500 may begin at block 502 and end at block512. Consistent with various embodiments, the method can include agenerating block 504, a comparing block 506, a determining block 508,and a suppressing block 510.

Consistent with various embodiments, at block 504 the method 500 caninclude generating a first hash value corresponding to a first password.In certain embodiments, the first hash value corresponding to the firstpassword can be generated using a secure hash algorithm. The secure hashalgorithm can be configured to map the first password to a fixed-lengthbit string. In certain embodiments, the first password cannot berecovered from the bit string. Put differently, the first hash valuecannot be converted back to the first password. As an example, an eightcharacter alphanumeric password (e.g., passw0rd) could be converted intoa sixteen digit numerical hash value (e.g., 1234 5678 1234 5678). Whilethe original password cannot be retrieved from the corresponding hashvalue, subsequent entries of the same password (e.g., passw0rd) into thesame secure hash algorithm would yield the same sixteen digit hash value(1234 5678 1234 5678). As an example, in certain embodiments, the securehash algorithm could be selected from a list of cryptographic hashfunctions. For instance, in certain embodiments, the secure hashalgorithm could be the SHA-3 algorithm. Other types of cryptographichash functions, algorithms, or methods of encrypting the first passwordare also possible.

Consistent with various embodiments, at block 506 the method 500 caninclude comparing the first hash value to a set of hash values. The setof hash values may include one or more hash values that each correspondto a password for which storage may be undesirable. In certainembodiments, the set of hash values may be stored locally. For example,the set of hash values could be stored within the configuration of aninternet browser, or on a storage medium. In certain embodiments, theset of hash values may be stored remotely. For example, the set of hashvalues may be stored on a host device (such as host device 228 of FIG.2) accessible over a network (such as network 202 of FIG. 2) by thedevice on which method 500 is implemented.

Consistent with various embodiments, at block 508 the method 500 caninclude determining whether the first hash value corresponds with asecond hash value included in the set of hash values. As describedherein, in certain embodiments, determining whether the first hash valuecorresponds with a second hash value can include aligning the first hashvalue with each hash value of the set of hash values, and ascertainingwhether the first hash value matches a hash value of the set of hashvalues.

Consistent with various embodiments, at block 510 the method 500 caninclude suppressing storage of the first password in the set ofpasswords. In certain embodiments, suppressing storage of the firstpassword in the set of passwords can be performed in response todetermining that the first hash value corresponds with a second hashvalue included in the set of hash values. For instance, a user may use apassword of “qwerty” to log into an email account, and the user may haveindicated (on a previous login session) that the password of “qwerty”should not be stored. Accordingly, a hash value (such as 1928 3847 56473829) could be generated for the password of “qwerty,” and stored in theset of hash values. When the user subsequently wishes to log into theemail account and enters the password of “qwerty,” the method 300 cangenerate a hash value for the password (such as 1928 3847 5647 3829).The method 300 can then compare this hash value to the set of hashvalues. In response to finding the hash value 1928 3847 5647 3829already stored in the set of hash values, the method 300 can suppressthe dialog menu for offering storage of the first password in the set ofpasswords.

The present invention may be a system, a method, and/or a computerprogram product. The computer program product may include a computerreadable storage medium (or media) having computer readable programinstructions thereon for causing a processor to carry out aspects of thepresent invention.

The computer readable storage medium can be a tangible device that canretain and store instructions for use by an instruction executiondevice. The computer readable storage medium may be, for example, but isnot limited to, an electronic storage device, a magnetic storage device,an optical storage device, an electromagnetic storage device, asemiconductor storage device, or any suitable combination of theforegoing. A non-exhaustive list of more specific examples of thecomputer readable storage medium includes the following: a portablecomputer diskette, a hard disk, a random access memory (RAM), aread-only memory (ROM), an erasable programmable read-only memory (EPROMor Flash memory), a static random access memory (SRAM), a portablecompact disc read-only memory (CD-ROM), a digital versatile disk (DVD),a memory stick, a floppy disk, a mechanically encoded device such aspunch-cards or raised structures in a groove having instructionsrecorded thereon, and any suitable combination of the foregoing. Acomputer readable storage medium, as used herein, is not to be construedas being transitory signals per se, such as radio waves or other freelypropagating electromagnetic waves, electromagnetic waves propagatingthrough a waveguide or other transmission media (e.g., light pulsespassing through a fiber-optic cable), or electrical signals transmittedthrough a wire.

Computer readable program instructions described herein can bedownloaded to respective computing/processing devices from a computerreadable storage medium or to an external computer or external storagedevice via a network, for example, the Internet, a local area network, awide area network and/or a wireless network. The network may comprisecopper transmission cables, optical transmission fibers, wirelesstransmission, routers, firewalls, switches, gateway computers and/oredge servers. A network adapter card or network interface in eachcomputing/processing device receives computer readable programinstructions from the network and forwards the computer readable programinstructions for storage in a computer readable storage medium withinthe respective computing/processing device.

Computer readable program instructions for carrying out operations ofthe present invention may be assembler instructions,instruction-set-architecture (ISA) instructions, machine instructions,machine dependent instructions, microcode, firmware instructions,state-setting data, or either source code or object code written in anycombination of one or more programming languages, including an objectoriented programming language such as Java, Smalltalk, C++ or the like,and conventional procedural programming languages, such as the “C”programming language or similar programming languages. The computerreadable program instructions may execute entirely on the user'scomputer, partly on the user's computer, as a stand-alone softwarepackage, partly on the user's computer and partly on a remote computeror entirely on the remote computer or server. In the latter scenario,the remote computer may be connected to the user's computer through anytype of network, including a local area network (LAN) or a wide areanetwork (WAN), or the connection may be made to an external computer(for example, through the Internet using an Internet Service Provider).In some embodiments, electronic circuitry including, for example,programmable logic circuitry, field-programmable gate arrays (FPGA), orprogrammable logic arrays (PLA) may execute the computer readableprogram instructions by utilizing state information of the computerreadable program instructions to personalize the electronic circuitry,in order to perform aspects of the present invention.

Aspects of the present invention are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems), and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer readable program instructions.

These computer readable program instructions may be provided to aprocessor of a general purpose computer, special purpose computer, orother programmable data processing apparatus to produce a machine, suchthat the instructions, which execute via the processor of the computeror other programmable data processing apparatus, create means forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks. These computer readable program instructionsmay also be stored in a computer readable storage medium that can directa computer, a programmable data processing apparatus, and/or otherdevices to function in a particular manner, such that the computerreadable storage medium having instructions stored therein comprises anarticle of manufacture including instructions which implement aspects ofthe function/act specified in the flowchart and/or block diagram blockor blocks.

The computer readable program instructions may also be loaded onto acomputer, other programmable data processing apparatus, or other deviceto cause a series of operational steps to be performed on the computer,other programmable apparatus or other device to produce a computerimplemented process, such that the instructions which execute on thecomputer, other programmable apparatus, or other device implement thefunctions/acts specified in the flowchart and/or block diagram block orblocks.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods, and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof instructions, which comprises one or more executable instructions forimplementing the specified logical function(s). In some alternativeimplementations, the functions noted in the block may occur out of theorder noted in the figures. For example, two blocks shown in successionmay, in fact, be executed substantially concurrently, or the blocks maysometimes be executed in the reverse order, depending upon thefunctionality involved. It will also be noted that each block of theblock diagrams and/or flowchart illustration, and combinations of blocksin the block diagrams and/or flowchart illustration, can be implementedby special purpose hardware-based systems that perform the specifiedfunctions or acts or carry out combinations of special purpose hardwareand computer instructions.

The descriptions of the various embodiments of the present disclosurehave been presented for purposes of illustration, but are not intendedto be exhaustive or limited to the embodiments disclosed. Manymodifications and variations will be apparent to those of ordinary skillin the art without departing from the scope and spirit of the describedembodiments. The terminology used herein was chosen to explain theprinciples of the embodiments, the practical application or technicalimprovement over technologies found in the marketplace, or to enableothers of ordinary skill in the art to understand the embodimentsdisclosed herein.

1.-14. (canceled)
 15. A computer program product comprising a computerreadable storage medium having a computer readable program storedtherein, wherein the computer readable program, when executed on a firstcomputing device, causes the computing device to: generate, in responseto receiving user input indicating that a first password is not to bestored in a set of passwords accessible by a password manager, a firsthash value corresponding to the first password, wherein the firstpassword cannot be retrieved from the first hash value; compare thefirst hash value to a set of hash values; store, in response todetermining that the first hash value is not included in the set of hashvalues, the first hash value in the set of hash values. generate asecond hash value corresponding to a second password in response toreceiving the second password via a login dialog menu; compare thesecond hash value to the set of hash values; and in response todetermining that the second hash value corresponds to the first hashvalue, suppress a dialog menu offering storage of the second password inthe set of passwords.
 16. (canceled)
 17. The computer program product ofclaim 15, wherein the first hash value is generated by a secure hashalgorithm configured to map a data input to a non-invertible dataoutput.
 18. (canceled)
 19. The computer program product of claim 15,wherein the set of passwords and the set of hash values are associatedwith the configuration of an internet browser.
 20. The computer programproduct of claim 15, further comprising computer readable program codeconfigured to cause the computing device to delete the first hash valuefrom the set of hash values in response to receiving a password deleterequest corresponding to the first password.
 21. A system comprising: adisplay; an input device configured to receive user input; a storagedevice configured to store a set of hash values and to store a set ofpasswords used by a password manager application to enter passwords intorespective login dialog menus displayed on the display; and a processorcommunicatively coupled to the display, to the input device, and to thestorage device; wherein the processor is configured to generate a firsthash value corresponding to a first password input via the input deviceinto a respective login dialog menu displayed on the display and tocompare the first hash value to the set of hash values stored in thestorage device to determine whether the first hash value correspondswith a second hash value included in the set of hash values; wherein, inresponse to determining that the first hash value corresponds with thesecond hash value, the processor is further configured to suppressstorage of the first password in the set of passwords used by thepassword manager application to enter passwords into respective logindialog menus displayed on the display.
 22. The system of claim 21,wherein the processor is further configured to add a third hash value tothe set of hash values.
 23. The system of claim 22, wherein theprocessor is further configured to add the third hash valueautomatically or in response to input received from a user via the inputdevice.
 24. The system of claim 21, wherein, in response to receiving apassword delete request corresponding to the first password, theprocessor is further configured to delete the second hash value from theset of hash values.
 25. The system of claim 21, wherein the processor isconfigured to generate the first hash value by executing a secure hashalgorithm configured to map a data input to a non-invertible dataoutput.
 26. The system of claim 21, wherein the set of hash values isassociated with the configuration of an internet browser.
 27. The systemof claim 21, wherein the processor is further configured to determinewhether the first password is stored in the set of passwords prior tocomparing the first hash value to the set of hash values.
 28. The systemof claim 21, wherein, in response to determining that the first hashvalue is not included in the set of hash values, the processor isfurther configured to store the first hash value in the set of hashvalues.
 29. A system comprising: a display; an input device configuredto receive user input; a storage device configured to store a set ofhash values and to store a set of passwords used by a password managerapplication to enter passwords into respective login dialog menusdisplayed on the display; and a processor communicatively coupled to thedisplay, to the input device, and to the storage device; wherein theprocessor is configured to generate a first hash value corresponding toa first password in response to receiving user input via the inputdevice, the user input indicating that the first password is not to bestored in the set of passwords; wherein the processor is furtherconfigured to compare the first hash value to the set of hash values todetermine whether the first hash value is included in the set of hashvalues; wherein, in response to determining that the first hash value isnot included the set of hash values, the processor is further configuredto store the first hash value in the set of hash values; wherein, inresponse to receiving a second password input via the input device intoa respective login dialog menu displayed on the display, the processoris further configured to generate a second hash value corresponding tothe second password and to compare the second hash value to the set ofhash values to determine whether the second hash value corresponds withthe first hash value; and wherein, in response to determining that thesecond hash value corresponds with the first hash value, the processoris further configured to suppress displaying on the display a dialogmenu offering storage of the second password in the set of passwords.30. The system of claim 29, wherein the processor is configured togenerate the first hash value by executing a secure hash algorithmconfigured to map a data input to a non-invertible data output.
 31. Thesystem of claim 29, wherein the set of passwords and the set of hashvalues are associated with the configuration of an internet browser. 32.The system of claim 29, wherein, in response to receiving a passworddelete request corresponding to the first password, the processor isfurther configured to delete the first hash value from the set of hashvalues.